Are Macs vulnerable? Windows .exe files used to infect MacOS

A look into a discovered type of malware that runs specifically to target Mac users

Our advanced threat team at Blackpoint Cyber recently came across an interesting find by Trend Micro’s researchers when they noticed that popular torrents promising to deliver cracked versions of popular software actually contained malicious payloads.

This newly discovered campaign contained malicious malware designed to target macOS with the help of an executable .exe file, which is designed to only work on a Windows based operating system.

When .exe files are run on a macOS operating system, they typically result in an error message. However, this malware included files from the Mono.NET framework, which is a popular open source framework that allows developers to create cross-platform Microsoft .NET applications. Since the main macOS application is signed, the macOS Gatekeeper, which verifies if software is legitimate, believed the application was safe and allowed it to execute which in turn launched the malicious .exe file.

When the .exe file (seen above as Installer.exe) runs, it executes data-stealing malware and adware.

This infiltration and code execution method provides a new opportunity for hackers to target macOS. Although the current versions of this malware only steal data and install adware, the ability to execute arbitrary code by hiding it within a legitimate looking macOS application is sure to be leveraged for more malicious purposes.

This malware campaign has been spotted in the United States, United Kingdom, South Africa, Australia, and other countries.

Undercover .exe files hidden within .DMG file

The researchers first discovered this new technique in an application called Little Snitch, which is a popular macOS firewall tool and widely available from websites and torrent streams.

When the researchers started investigating other applications, they discovered other publicly available applications that appeared to be legitimate but were not. The following is a list of other .DMG files that contained the same malware:

Little_Snitch_583_MAC_OS_X.zip

LennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip

TORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip

Sylenth1_v331_Purple_Skin__Sound_Radix_32Lives_v109.zip

The above zip files contain a .DMG file. When extracted from the zip file and opened, the .DMG file launches the malware which begins silently collecting various machine information such as:

ModelName

ModelIdentifier

Processor Speed

ProcessorDetails

Memory

BootROMVersion

SMCVersion

SerialNumber

Along with collecting system information, the malware also scans the infected machine for basic installed apps and sends the gathered information to a remote command and control server.

In addition, the malware downloads several files from the internet and saves them to the directory ~/Library/X2441139MAC/Temp/:

This new malware shows how hackers continue to innovate and develop new ways to achieve code execution. At Blackpoint, we believe in developing technological solutions and services that are malware agnostic and focus on tradecraft and techniques. To learn more, check out https://blackpointcyber.com/

BlackPoint Cyber

You may also like

Is cybersecurity history about to repeat itself? Within the last 24 hours, Microsoft has released critical updates for a severe vulnerability (CVE-2019-0708) in Microsoft Windows Remote Desktop Services (RDS) running on...